Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Cybersecurity outcomes are stalling - what containment changes for teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: At RSAC 2026, cybersecurity keeps adding tools and activity without improving outcomes, because teams still measure progress by compliance and alert volume rather than reduced blast radius or containment, according to Illumio. The practical shift is to treat breaches as inevitable and optimise for limiting spread, not pretending prevention alone will solve the problem.

NHIMG editorial — based on content published by Illumio: Cybersecurity Is Broken: Why Outcomes Aren't Improving and What Needs to Change

By the numbers:

Questions worth separating out

Q: What breaks when organisations measure security activity instead of containment outcomes?

A: When organisations measure activity instead of containment, they can look mature while leaving the same attack paths open.

Q: Why do service accounts and privileged access matter so much to cyber resilience?

A: Service accounts and privileged access determine how far an attacker can travel after the first foothold.

Q: How do security teams know whether containment controls are actually working?

A: Containment controls are working when a compromised identity cannot reach additional systems, escalate privilege, or access sensitive data outside its intended scope.

Practitioner guidance

  • Measure reachable impact, not control volume Replace activity-based scorecards with metrics that show how much lateral movement, privilege spread, and data exposure remain possible after a foothold is gained.
  • Map containment paths for high-risk identities Identify which service accounts, API keys, tokens, and privileged roles could move an attacker from first access to production impact, then isolate or segment those paths.
  • Shorten the lifetime of access that matters most Use just-in-time access, tighter session duration, and removal of standing privilege for identities that can reach sensitive systems.

What's in the full article

Illumio's full article covers the operational detail this post intentionally leaves for the source:

  • The panel-specific discussion on how leading practitioners are redefining cyber success around containment and resilience.
  • The examples of how breach impact can be limited through architecture choices such as isolation, access scoping, and restricted communications paths.
  • The article’s direct commentary from panel speakers on why measurement, risk assessment, and AI-driven attacker scale are changing security priorities.
  • The closing section on how the vendor frames breach containment as a practical response to lateral movement and spread.

👉 Read Illumio's panel analysis of why cybersecurity outcomes are not improving →

Cybersecurity outcomes are stalling - what containment changes for teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Cybersecurity has a containment problem, not only a detection problem. The panel’s core message is that many organisations are still optimising for visibility, activity, and audit completion while attackers continue to exploit the gap between control presence and control effect. That is why outcomes do not improve even when programmes look more mature on paper. In identity-heavy environments, the missing variable is how far an attacker can move after compromise. Practitioners should treat blast radius as the real measure of control value.

A question worth separating out:

Q: Who is accountable when cyber incidents spread because access boundaries were too broad?

A: Accountability sits with the teams that own identity governance, privileged access, platform segmentation, and resilience design, because those choices determine how far an intrusion can spread. Frameworks such as NIST Cybersecurity Framework and NIST SP 800-53 both expect control design that limits impact, not just control presence.

👉 Read our full editorial: Cybersecurity outcomes are stalling because containment is missing



   
ReplyQuote
Share: